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DETAILED ACTION 

* 

1 . This a non-final Office Action in response to the application filed on January 03, 2006. 

2. Claims 1-24 have been examined. 

3. Claims 1-24 are pending. 

Claim Rejections - 35 USC §102 

4. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the 

basis for the rejections under this section made in this Office action: 
A person shall be entitled to a patent unless - 

(e) the invention was described in a patent granted on an application for patent by another filed in the 
United States before the invention thereof by the applicant for patent, or on an international application by 
another who has fulfilled the requirements of paragraphs (1), (2), and (4) of section 371(c) of this title 
before the invention thereof by the applicant for patent. 

5. Claims 1, 10 andl5 are rejected under 35 U.S.C. 102(e) as being anticipated by Moran 
(US Pat. No.: 6, 647, 400) 

As per claim 1 : 

Moran discloses an method for detecting intrusion in a host via a monitoring daemon 
operating in conjunction with a configuration file defining data entities to be monitored, said 
method as implemented in said host comprising the steps of: 

(a). monitoring said data entities via comparing a locally stored copy of a digital 
signature associated with each data entity against a corresponding digital signature stored 
in a first remote database (column 4: lines 1-15; figure 9: compute signature of a file; 
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Does signature match the previously computed signature for file; Abstract; column 4: 
lines 17-23; column 32: lines 49-59); and 

(b). upon identifying a mismatch in compared digital signatures, issuing an instruction 
to record an entry in a log file located in a second remote database, said entry identifying 
a possible intrusion in said host (column 32: lines 6-22; column 32: lines 49-59; column 
33: lines 36-41). 



As per claim 10: 

Moran discloses a system to detect intrusion comprising: 

a. a host running a monitoring daemon working in conjunction with a configuration 
file, said configuration file identifying files and directories to be monitored in said host 
and said host communicating with external networks via one or more network interfaces, 
said monitoring daemon dynamically monitoring said files and directories identified by 
said configuration file by comparing a locally stored digital signature corresponding to 
each file or directory against a remotely stored corresponding digital signature (column 4: 
lines 1-15; figure 9: compute signature of a file; Does signature match the previously 
computed signature for file); 

b. a digital signature database remote from said host storing said digital signatures 
associated with files and directories identified by said configuration file (Abstract; 
column 4: lines 17-23; column 32: lines 49-59); and 

c. a log database remote from said host recording entries corresponding to 
mismatches between a digital signature stored in said host and a corresponding digital 
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signature in said digital signature database (column 32: lines 6-22; column 32: lines 49- 
59; column 33: lines 36-41). 

As per claim 15: 

Moran discloses an article of manufacture comprising a computer usable medium having 
computer readable program code embed therein to detect intrusion in a host via a monitoring 
daemon operating in conjunction with a configuration file defining data entities to be monitored, 
said medium comprising: 

a. computer readable program code monitoring said data entities via comparing a 
locally stored copy of a digital signature associated with each data entity against a 
corresponding digital signature stored in a first remote database (column 4: lines 1-15; 
figure 9: compute signature of a file; Does signature match the previously computed 
signature for file; Abstract; column 4: lines 17-23; column 32: lines 49-59); 

b. upon identifying a mismatch in compared digital signatures, computer readable 
program code issuing an instruction to record an entry in a log file located in a second 
remote database, said entry identifying a possible intrusion in said host (column 32: lines 

* 

6-22; column 32: lines 49-59; column 33: lines 36-41). 

Claim Rejections - 35 USC §103 

6. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth 
in section 102 of this title, if the differences between the subject matter sought to be patented and the prior 
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art are such that the subject matter as a whole would have been obvious at the time the invention was made 
to a person having ordinary skill in the art to which said subject matter pertains. Patentability shall not be 
negatived by the manner in which the invention was made. 

7. Claims 2-9, 11-14 and 16-24 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over Moran (US Pat. No.: 6, 647, 400) in view of Trostle (US Pat. No.: 5, 919, 257). 

As per claim 2: 

Moran does not explicitly disclose a method for detecting intrusion in a host via a 
monitoring daemon operating in conjunction with a configuration file defining data entities to be 
monitored, wherein said host communicates with said first and second remote databases via one 

9 

or more network interfaces and, subsequent to step (b), said method further comprises the step of 
issuing a command to bring down said one or more network interfaces to isolate said host. 
Trostle, in analogous art, however, discloses a method for detecting intrusion in a host via a 
monitoring daemon operating in conjunction with a configuration file defining data entities to be 
monitored, wherein said host communicates with said first and second remote databases via one 
or more network interfaces and, subsequent to step (b), said method further comprises the step of 
issuing a command to bring down said one or more network interfaces to isolate said host (figure 
4: 78-96; figure 5: 100; column 6: lines 30-42). 

Therefore, it would have been obvious to a person having ordinary skill in the art at the 
time the invention was made to modify the system disclosed by Moran to include a method for 
detecting intrusion in a host via a monitoring daemon operating in conjunction with a 
configuration file defining data entities to be monitored, wherein said host communicates with 
said first and second remote databases via one or more network interfaces and, subsequent to 
step (b), said method further comprises the step of issuing a command to bring down said one or 
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more network interfaces to isolate said host. This modification would have been obvious because 
a person having ordinary skill in the art would have been motivated to do so to provide a trusted 
technique for detecting illicit changes to executable programs (e.g., a "Trojan horse" appended to 
an executable program by a computer hacker) as suggested by Trostle in (column 3: lines 19-28). 

As per claim 3: 

Trostle discloses a method for detecting intrusion in a host via a monitoring daemon 
operating in conjunction with a configuration file defining data entities to be monitored, wherein, 
subsequent to step (b), said method further comprises the step of issuing a command to an 
operating system of host to bring said host to a single user state (figure 4: 78-96; figure 5: 100; 
column 6: lines 30-42). 

As per claim 4: 

Trostle discloses a method for detecting intrusion in a host via a monitoring daemon 
operating in conjunction with a configuration file defining data entities to be monitored, wherein 
said first remote database and said second remote database are located on a single server or a 
plurality of servers belonging to a local area network (column 3: lines; 54-65figure 1 : 12). 

As per claim 5: 

Trostle discloses a method for detecting intrusion in a host via a monitoring daemon 
operating in conjunction with a configuration file defining data entities to be monitored, wherein 
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communications between said host and first remote database are encrypted (column 5: lines 50- 
63; figure 5: 88). 

As per claim 6: 

Trostle discloses a method for detecting intrusion in a host via a monitoring daemon 
operating in conjunction with a configuration file defining data entities to be monitored, wherein 
communications between said host and second remote database are encrypted (column 5: lines 
50-63; figure 5: 88). 

As per claim 7: 

Moran discloses a method for detecting intrusion in a host via a monitoring daemon 
operating in conjunction with a configuration file defining data entities to be monitored, wherein 
said digital signature is an MD5 signature and said first remote database is an MD5 database 
(column 31: lines 46-55). 

As per claim 8: 

Moran discloses a method for detecting intrusion in a host via a monitoring daemon 
operating in conjunction with a configuration file defining data entities to be monitored, wherein 
said second remote database is a SYSLOG database (column 24: lines 47-64). 

As per claim 9: 
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Moran discloses an method for detecting intrusion in a host via a monitoring daemon 
operating in conjunction with a configuration file defining data entities to be monitored, wherein 

* 

said data entities are any of the following: system files, configuration files, or directories 
(column 4: lines 5-35). 

As per claim 1 1 : 

Moran discloses a system to detect intrusion, wherein said first remote database and said 
second remote database are located on a single server or a plurality of servers belonging to a 
local area network (figure 3: 306, 308, 304). 

As per claim 12: 

Trostle discloses a system to detect intrusion, wherein communications between said host 
and said digital signature database are encrypted (column 5: lines 50-63; figure 5: 88). 

As per claim 13: 

Trostle discloses a system to detect intrusion, wherein communications between said host 
and log database are encrypted (column 5: lines 50-63; figure 5: 88). \ 

As per claim 14: 

Moran discloses a system to detect intrusion, wherein said digital signature is an MD5 
signature and said first remote database is an MD5 database (column 31 : lines 46-55). 
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As per claim 16: 

Trostle discloses an article of manufacture, wherein said host communicates with said 
first and second remote databases via one or more network interfaces and said medium further 
comprises computer readable program code issuing a command to bring down said one or more 
network interfaces to isolate said host (figure 4: 78-96; figure 5: 100; column 6: lines 30-42). 

As per claim 17: 

Trostle discloses an article of manufacture, as per claim 15, wherein said method further 
comprises the step of issuing a command to an operating system of host to bring said host to a 
single user state (figure 4: 78-96; figure 5: 100; column 6: lines 30-42). 

As per claim 18: 

Moran discloses an intrusion detection and isolation method implemented using a 
monitoring daemon in a host, said host having one or more network interfaces to communicate 
over one or more networks, said method comprising the steps of: 

« 

a. reading a configuration file to identify data entities to be monitored on a host 
(column 4: lines 1-15); 

b. for each data entity to be monitored, extracting a digital signature from said host 
(figure 9: compute signature of a file); 

c. for each data entity to be monitored, querying a remote digital signature database 
via said one or more network interfaces and requesting a digital signature corresponding 
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to said digital signature extracted from said host (figure 9: Does signature match the 
previously computed signature for file); 

d. for each data entity to be monitored, receiving said corresponding digital 
signature from said remote digital signature database (figure 3: 308, 306, 304, 312); 

e. matching digital signature received from said remote digital signature database 
with digital signature extracted at said host (Abstract; column 4: lines 17-23; column 32: 
lines 49-59); 

f. upon identifying a mismatch, transmitting an instruction to a remote log database 
via said one or more network interfaces, said instruction executed in said remote log 
database to record an entry in a log file indicating a possible intrusion in said host 
(column 32: lines 6-22; column 32: lines 49-59; column 33: lines 36-41). 

Moran does not explicitly disclose performing any one of, or a combination of, the 
following steps issuing a command to bring down said one or more network interfaces to isolate 
said host; or issuing a command to an operating system of host to bring said host to a single user 
state. Trostle, in analogous art, however, discloses performing any one of, or a combination of, 
the following steps issuing a command to bring down said one or more network interfaces to 
isolate said host; or issuing a command to an operating system of host to bring said host to a 
single user state (figure 4: 78-96; figure 5: 100; column 6: lines 30-42). 

Therefore, it would have been obvious to a person having ordinary skill in the art at the 

■ 

time the invention was made to modify the system disclosed by Moran to include performing any 
one of, or a combination of, the following steps issuing a command to bring down said one or 
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more network interfaces to isolate said host; or issuing a command to an operating system of host 
to bring said host to a single user state. This modification would have been obvious because a 
person having ordinary skill in the art would have been motivated to do so to provide a trusted 
technique for detecting illicit changes to executable programs (e.g., a "Trojan horse" appended to 
an executable program by a computer hacker) as suggested by Trostle in (column 3: lines 19-28). 

As per claim 19: 

Trostle discloses an intrusion detection and isolation method implemented using a 
monitoring daemon in a host, wherein said digital signature database and said log database are 
located on a single server or a plurality of servers belonging to a local area network (column 3: 
lines; 54-65figure 1: 12). 

As per claim 20: 

Trostle discloses an intrusion detection and isolation method implemented using a 
monitoring daemon in a host, wherein communications between said host and digital signature 
database are encrypted (column 5: lines 50-63; figure 5: 88). 

As per claim 21: 

Trostle discloses an intrusion detection and isolation method implemented using a 
monitoring daemon in a host, wherein communications between said host and log database are 
encrypted (column 5: lines 50-63; figure 5: 88). 
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As per claim 22: 

Moran discloses an intrusion detection and isolation method implemented using a 
monitoring daemon in a host, wherein said digital signature database is an MD5 database 
(column 31: lines 46-55). 

As per claim 23: 

Moran discloses an intrusion detection and isolation method implemented using a 
monitoring daemon in a host, wherein said log database is a SYSLOG database (column 24: lines 
47-64). 

As per claim 24: 

Moran discloses an intrusion detection and isolation method implemented using a 
monitoring daemon in a host, wherein said data entities are any of the following: system files, 
configuration files, or directories (column 4: lines 5-35). 

Conclusion 

8. The prior art made of record and not relied upon is considered pertinent to applicant's 
disclosure. 

See the notice of reference cited in form PTO-892 for additional prior art 



- i 
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Contact Information 

9. Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Techane J. Gergiso whose telephone number is (571) 272-3784 
and fax number is (571) 273-3784|. The examiner can normally be reached on 9:00am - 6:00pm. 
If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, 
Emmanuel Moise can be reached on (571) 272-3865. The fax phone number for the organization 
where this application or proceeding is assigned is 571-273-8300. 

* 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). 
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